The Client-Server Model
The biggest hurdle for new scripters is understanding the boundary between the Server (the Roblox computers) and the Client (the player's device).
The Server (The Source of Truth)
The Server is the master computer hosted by Roblox. Code running on the Server (via Scripts) affects the entire world. If a Server Script deletes a tree, that tree disappears for all 50 players in the server.
The Server is also completely secure. Exploiters (hackers) cannot access or modify Server Scripts.
The Client (The Illusion)
The Client is the player's computer or phone. Code running on the Client (via LocalScripts) ONLY affects that specific player. If a LocalScript deletes a tree, the tree disappears on their screen, but the other 49 players still see the tree!
Exploiters have full control over their Client. They can delete walls, change their local cash value, and modify LocalScripts. Because of this, never trust the Client.
FilteringEnabled (FE)
Roblox uses a system called FilteringEnabled. This means any changes a Client makes to the game world are completely ignored by the Server.
- If an exploiter gives themselves 1,000,000 gold using a local cheat engine, the Server ignores it. When the Server saves their data, it saves their real gold amount (0).
- If you try to give a player gold using a
LocalScriptinside a UI Button, it won't work! The Server will ignore the change. You must ask the Server to do it.
Network Ownership
There is one major exception to FilteringEnabled: Network Ownership. To make movement feel smooth, the Server temporarily gives the Client physics control over their own character. This is why exploiters can fly or run really fast—they control the physics of their own avatar. The Server must detect and punish this behavior.